more mfa scripting logic
Mathis, Bradley
bmathis at pima.edu
Mon Feb 5 16:10:54 EST 2018
Thanks Lee, I like the idea of using a group for the CAS/MFA service. I
may try to use that.
The part I don't get from your example (and it's definitely my lack
understanding) ... where is that you are forcing DUO for those Banner/Cas
services?
Also do you have more than one authentication type enabled? I only have
MFA enabled. I was specifying the MFA authentication in the relyingparty
config file also but took it out when I realized that to do OPT in for Duo
on everything I was going to have to send everything to the MFA flow. Your
suggestion might work for me (or at least part of it) .... I will have to
think it through and test it out.
Thanks for your input!
Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
On Mon, Feb 5, 2018 at 1:34 PM, Lee Foltz <foltz2 at oakland.edu> wrote:
> Brad,
> We did the following for Banner 9 services.
>
> We created this entry in relying party. Then all we do is add the CAS
> services we want to use MFA in cas-protocol.xml to the
> mfa-services p:group="mfa-services"
>
> <bean parent="RelyingPartyByGroup" c:groupNames="mfa-services">
> <property name="profileConfigurations">
> <list>
> <bean parent="CAS.LoginConfiguration">
> <property name="defaultAuthenticationMethods">
> <list>
> <bean parent="shibboleth.
> SAML2AuthnContextClassRef"
> c:classRef="http://id.
> incommon.org/assurance/mfa" />
> <!--<bean parent="shibboleth.
> SAML2AuthnContextClassRef"
> c:classRef="urn:oasis:names:
> tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />-->
> </list>
> </property>
> </bean>
> <bean parent="CAS.ProxyConfiguration" />
> <bean parent="CAS.ValidateConfiguration" />
> </list>
> </property>
> </bean>
>
> Then in cas-protocol.xml we did this
>
> <!-- Banner Application Navigator -->
> <bean class="net.shibboleth.idp.cas.
> service.ServiceDefinition"
> c:regex="https://somebox.name.edu:8443(/.*)?"
> p:group="mfa-services"
> p:authorizedToProxy="true"
> p:singleLogoutParticipant="true" />
>
> All our other CAS services are just "authn/Password", but if we add them
> to this p:group it uses authn/DUO after authn/Password.
> One nice feature is since the cas file reloads every 15 minutes, we don't
> have to restart service to add a new MFA service.
>
>
>
> On Mon, Feb 5, 2018 at 1:57 PM, Mathis, Bradley <bmathis at pima.edu> wrote:
>
>> Howdy all,
>>
>> I'm successfully using mfa logic to send specific users to Duo
>> Authentication, thanks to the samples/documentation/wiki and postings from
>> users here on users at shibboleth.net
>> I'm now adding another piece of mfa logic to the mfa-authn-config.xml
>> checksecondfactore inline script.
>>
>> Prior to checking for specific user attributes I'm now first checking the
>> RelyingPartyId to see if Duo is needed. I'm able to do this
>> successfully after stealing some example logic that Andrew Morgan posted
>> ..Thanks Andrew!
>>
>>
>> This is an excerpt from my mfa-authn-config.xml
>>
>> rpid = profileContext.getSubcontext("
>> net.shibboleth.idp.profile.context.RelyingPartyContext").get
>> RelyingPartyId();
>> if (rpid.equals("https://banner-t
>> emp.pima.edu/applicationNavigator/j_spring_cas_security_check")) {
>> nextFlow = "authn/Duo";
>> }
>>
>>
>> The above works if I add an if statement for every RelyingPartyId
>> separately. I was hoping I might be able to use a regular expression and
>> do a pattern match or something like that (my terminology is probably
>> wrong). I'm not a programmer.
>>
>>
>> e.g.
>>
>> Let's say I have multiple RelyingPartyIds like this
>>
>> https://banner-temp.pima.edu/applicationNavigator/j_spring_c
>> as_security_check
>> https://banner-dev.pima.edu/applicationNavigator/j_spring_ca
>> s_security_check
>> https://banner-test.pima.edu/applicationNavigator/j_spring_c
>> as_security_check
>> https://banner-prod.pima.edu/applicationNavigator/j_spring_c
>> as_security_check
>> rather than creating an if statement for each one I would like to do a
>> pattern match up against something like this
>>
>> (https:\/\/.+(pima.edu\/applicationNavigator\/j_spring_cas_
>> security_check)\/?.*)
>>
>>
>> and if it's true then set the nextFlow = "authn/Duo"
>>
>>
>> Anyone one have a sample I can hack at? If not no worries I'm very happy
>> with my success so far and can probably live with adding each one
>> separately.
>>
>>
>> Thanks!
>>
>>
>>
>>
>> Brad Mathis
>> Principal Systems Analyst
>> Pima Community College
>> IT - Technical Services
>> 520.206.4826 <(520)%20206-4826>
>> bmathis at pima.edu
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
>
> --
> Lee Foltz
> Oakland University - UTS
> Senior Identity Systems Engineer
>
> 248-370-2675 <(248)%20370-2675>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180205/88b96f07/attachment.html>
More information about the users
mailing list